Location: backend/src/config/auth.config.ts (around line 6)
Problem:
The JWT secret falls back to a hardcoded default ('your-secret-key-min-32-chars-change-in-production') when JWT_SECRET is not set in the environment. If this is ever deployed without the env var explicitly configured, every token can be forged by anyone who reads the source code.
Why it matters:
This is a critical authentication bypass risk — any environment that forgets to set JWT_SECRET is fully compromised.
Suggested fix:
- Throw on startup (fail fast) if
JWT_SECRET is not set, instead of silently falling back to a weak default.
- Add a startup validation step (e.g. in
main.ts or a config validation schema) that checks secret length/entropy.
Acceptance criteria:
- App refuses to boot without a properly configured
JWT_SECRET.
- A test covers the failure case.
Location:
backend/src/config/auth.config.ts(around line 6)Problem:
The JWT secret falls back to a hardcoded default (
'your-secret-key-min-32-chars-change-in-production') whenJWT_SECRETis not set in the environment. If this is ever deployed without the env var explicitly configured, every token can be forged by anyone who reads the source code.Why it matters:
This is a critical authentication bypass risk — any environment that forgets to set
JWT_SECRETis fully compromised.Suggested fix:
JWT_SECRETis not set, instead of silently falling back to a weak default.main.tsor a config validation schema) that checks secret length/entropy.Acceptance criteria:
JWT_SECRET.